Memory Corruption
Monthly
Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.
Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).
Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.
Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.
Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.
Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.
Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.
Local privilege escalation potential in the Linux kernel's Nouveau DRM driver stems from a 32-bit integer overflow in the pushbuf relocation bounds check (nouveau_gem_pushbuf_reloc_apply). Authenticated local users with access to the Nouveau GPU device node can bypass the size validation and trigger out-of-bounds writes against the buffer object, leading to high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable kernel branches.
Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.
Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.
Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.
Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.
Heap out-of-bounds write in the Linux kernel UDF filesystem driver allows a local attacker to corrupt kernel memory by mounting a crafted UDF image containing repeated partition descriptors. The flaw stems from incorrect bookkeeping in handle_partition_descriptor() where appended slots never record partnum, causing duplicate descriptors to overflow the part_descs_loc[] table. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at only 0.02%.
Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.
Local privilege escalation potential in the Linux kernel's GFS2 filesystem stems from a use-after-free in the inline data write path of gfs2_iomap_begin(), where the inode buffer head is released before iomap->inline_data is consumed by iomap_write_end_inline(). Local users with the ability to write to a GFS2-backed filesystem can trigger memory corruption via a freed page that kswapd has since reclaimed. No public exploit identified at time of analysis, EPSS probability is very low (0.02%), and the issue is not listed in CISA KEV, but vendor patches across multiple stable trees are available.
Local privilege escalation and denial of service in the Linux kernel's AMD XDNA (amdxdna) accelerator driver allows authenticated local users to trigger a use-after-free condition by submitting jobs to a hardware context concurrently with resource release. The flaw affects kernels in the 6.14.9 through 6.15 series and was resolved upstream by stopping job scheduling around aie2_release_resource() and validating context state in aie2_sched_job_run(). No public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible near-term exploitation probability.
Use-after-free and double-free conditions in the Linux kernel's SMB client (smb2_open_file) can be triggered when SMB2_open() retry paths fail to zero out err_iov and err_buftype buffers, leading to memory corruption. The flaw affects multiple stable kernel branches (6.1, 6.6, 6.12, 6.18) and is fixed in upstream patches; no public exploit identified at time of analysis and EPSS is very low (0.02%) despite the 9.8 CVSS score.
Use-after-free in the Linux kernel bonding driver's Adaptive Load Balancing (ALB) subsystem allows a local low-privileged user to crash the kernel by racing rlb_arp_recv() against rlb_deinitialize() during rapid bond interface up/down cycling. Specifically, the RX handler continues to dereference rx_hashtbl entries after rlb_deinitialize() frees them, because recv_probe is set to NULL without first draining in-flight softirq handlers via synchronize_net(). Systems running bonded NICs in ALB mode (mode=6) on affected kernel versions - including Dell PowerEdge hardware and Canonical-distributed kernels - are at risk of kernel panic. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms no observed mass exploitation.
Local privilege escalation and memory corruption in the Linux kernel's Exynos DRM VIDI (Virtual Display) driver allows local users with access to the DRM device to trigger null pointer dereferences, garbage value accesses, out-of-bounds reads, or use-after-free conditions via the vidi_connection_ioctl() handler. The flaw stems from an incorrect device-to-context lookup that retrieves driver_data from the exynos-drm master device instead of the VIDI component device. A vendor patch is available across multiple stable branches, no public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.02%.
Local privilege escalation in the Linux kernel's BPF subsystem stems from incorrect refcounting in check_pseudo_btf_id() that can leave a BTF (BPF Type Format) object with a zero refcount while still in use, creating a use-after-free condition. Affected kernels (around 6.14 through pre-patch 6.18.14/6.19.4) allow a local low-privileged user capable of loading BPF programs to corrupt kernel memory, with no public exploit identified at time of analysis and EPSS scoring exploitation likelihood at only 0.02%.
Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.
Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.
Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.
Use-after-free in the Linux kernel's OpenVPN data channel offload (ovpn) module allows a local attacker with low privileges to potentially trigger memory corruption when transmitting shared sk_buff packets through ovpn_net_xmit. The flaw stems from continued use of a stale skb pointer after skb_share_check frees the original buffer, affecting peer lookup, skb_dst_drop, and TX statistics paths. No public exploit identified at time of analysis, and the EPSS probability is very low (0.02%), suggesting the bug is more of a stability and memory-safety concern than an imminently weaponized vector.
Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.
Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.
Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.
Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.
Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.
Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.
Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.
Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.
Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.
Out-of-bounds write in NVIDIA Virtual GPU Manager exposes virtualized GPU deployments to denial of service, data tampering, and information disclosure. A local, low-privileged attacker operating within a virtualized environment can trigger the memory corruption flaw in the host-side vGPU manager component across multiple affected driver branches (vGPU 16.x through 20.x). No public exploit code exists at time of analysis, and EPSS probability is at the 2nd percentile, but the high availability impact (A:H in CVSS) and the prevalence of vGPU in enterprise virtualization infrastructure warrant prompt patching.
Local privilege escalation and code execution in NVIDIA Virtual GPU Manager arises from a use-after-free on stack memory within the vGPU hypervisor component. Authenticated local attackers on the host or guest side of an affected vGPU deployment (vGPU branches 16.x through 20.x) can trigger memory corruption that may yield DoS, info disclosure, data tampering, or arbitrary code execution. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC rates technical impact as total.
Local privilege escalation in the NVIDIA Display Driver for Windows and Linux allows an authenticated low-privileged user to trigger an out-of-bounds write (CWE-787) in the kernel-mode driver, potentially leading to code execution, privilege escalation, information disclosure, data tampering, or denial of service. The flaw affects GeForce, RTX/Quadro/NVS, and Tesla product lines, with NVIDIA confirming the vulnerability and releasing patched driver versions. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.01%.
Local privilege escalation and code execution in the NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest/Manager components) stems from a use-after-free memory corruption flaw (CWE-416) that a local low-privileged user can trigger to compromise the kernel-level driver. The scope-changed CVSS 8.8 score reflects that successful exploitation crosses a trust boundary, potentially yielding code execution, privilege escalation, information disclosure, data tampering, or denial of service. EPSS is 0.01% (1st percentile) and there is no public exploit identified at time of analysis, but a vendor patch is available across all affected branches.
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Heap use-after-free write in libyang before 5.2.6 enables remote authenticated attackers to crash processes or potentially execute code by submitting crafted YANG XML documents to applications using the library for parsing. The flaw resides in lyd_parser_set_data_flags, which mishandles metadata list pointers when freeing non-head default metadata entries. No public exploit identified at time of analysis, EPSS is low at 0.03%, and SSVC rates technical impact as partial with no automatable exploitation.
Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
runAsNonRoot bypass in containerd allows crafted container images to execute as UID 0 despite Kubernetes security policies designed to prevent root execution. The flaw stems from containerd treating numeric USER directives that overflow a 32-bit integer as usernames, and if the image's /etc/passwd maps that string to root, the container runs as root. No public exploit identified at time of analysis, but the issue was responsibly disclosed by Lei Wang (@ssst0n3) and fixed in multiple containerd release branches.
Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.
Local privilege escalation and potential memory corruption in the Linux kernel's rtmutex (real-time mutex) subsystem stems from remove_waiter() incorrectly operating on the current task instead of waiter::task during proxy-lock rollback in futex_requeue() paths. Exploitation can leave a dangling pi_blocked_on pointer primed for a use-after-free, with CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting local low-privileged access. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but the UAF primitive is a known building block for kernel privilege escalation.
Local privilege-level data corruption in the Linux kernel's accel/ivpu driver (Intel VPU accelerator) allows authenticated local users to trigger incorrect device access and memory corruption by re-exporting imported GEM (Graphics Execution Manager) buffer objects via the DMA-BUF prime interface. The flaw stems from the missing validation that allowed buffer flag settings to be lost on re-export, and while CVSS rates it 7.8 High due to local high-impact effects, EPSS is only 0.02% and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's udlfb (DisplayLink USB framebuffer) driver allows a local user with access to the framebuffer device to retain read/write access to freed kernel memory pages after a USB disconnect or framebuffer reallocation. The dlfb_ops_mmap() function maps vmalloc-backed framebuffer pages to userspace without installing vm_ops callbacks, so the kernel cannot track active mappings and vfree() is called on pages still referenced by user PTEs. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is not listed in CISA KEV.
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) element parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw, disclosed by Cisco Talos as TALOS-2026-2371 and assigned CWE-823, requires user interaction and local file access but no privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 stems from a missing o_len bounds check in the pull_charset_flags() character-set conversion routine, enabling remote attackers with low privileges to corrupt memory and potentially compromise confidentiality, integrity, and availability of the AFP file server. The flaw is addressed in Netatalk 4.4.3, and no public exploit has been identified at time of analysis.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 affects the convert_charset() routine during null termination handling, exposing the AppleTalk/AFP server implementation to memory corruption. Authenticated remote attackers can trigger heap or stack corruption that threatens confidentiality, integrity, and availability of the host. No public exploit identified at time of analysis, and the vendor has shipped a corrective release in 4.4.3.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Memory corruption in ISC BIND 9's DNS-over-HTTPS (DoH) implementation lets remote attackers trigger a use-after-free (CWE-416) by interacting with the DoH endpoint, affecting BIND 9.20.0-9.20.22, 9.21.0-9.21.21, and the 9.20.9-S1-9.20.22-S1 subscription builds; the older 9.18.x branch is explicitly not affected. The vendor scores it CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), implying unauthenticated remote impact, though CISA's SSVC rates technical impact as only 'partial' and exploitation as 'none'. There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 7th percentile), indicating no observed exploitation activity.
Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an attacker controlling a DNSSEC-signed domain to crash the resolver process with a single crafted query. The DNSSEC validator uses an incorrect counter when computing write offsets for ADDITIONAL section rrsets while building chase-reply messages, leaving an uninitialized pointer that is later dereferenced. No public exploit identified at time of analysis, and the issue is fixed in Unbound 1.25.1.
Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attackers to crash the daemon or potentially achieve arbitrary code execution by serving a malicious signed zone to a vulnerable resolver. The flaw stems from a struct-assignment bug during deep copying of response messages when DS sub-queries suspend validation under NSEC3 computational budget exhaustion. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.1 with network attack vector and no required privileges or user interaction makes this a high-priority patching target for any operator running a recursive Unbound resolver.
Heap buffer overflow write in libheif (versions ≤ 1.21.2) lets a crafted HEIF/AVIF file write 64 bytes of attacker-controlled data past a chroma-plane heap allocation during grid tile compositing. Any application using libheif to decode untrusted images - image viewers, file managers, browsers, mobile OS thumbnailers - is exposed, with CVSS 8.8 reflecting likely code execution after user-triggered file open. No public exploit identified at time of analysis, but the deterministic 64-byte fully-controlled overflow is highly favorable for exploitation.
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Out-of-bounds write in Samsung's Escargot lightweight JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows attackers to corrupt memory by inducing buffer overflows through crafted JavaScript. Exploitation requires local execution of attacker-supplied script content with user interaction, but successful triggering yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Use-after-free memory corruption in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) enables pointer manipulation when processing crafted JavaScript content, with CVSS 7.8 reflecting high-impact local exploitation requiring user interaction. The affected codepaths include evaluator error handling, TypedArray copyWithin operations on resizable buffers, DataView coercion, and array fast-mode transitions - all triggerable by attacker-controlled script. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Use-After-Free memory corruption in OpenHarmony v6.0 and prior enables a local attacker with low privileges to execute arbitrary code, achieving a changed scope with high availability impact. The vulnerability is rooted in CWE-416, where freed memory regions are accessed without proper lifecycle management, a class of flaw frequently exploitable for control-flow hijacking. No public exploit code or CISA KEV listing has been identified at time of analysis, though the OpenHarmony security team has published a formal disclosure.
Out-of-bounds write in OpenHarmony v6.0 and earlier enables a local low-privileged attacker to corrupt memory and trigger an unrecoverable denial-of-service condition on affected devices. The flaw was disclosed by the OpenHarmony project itself, and no public exploit identified at time of analysis. Although CVSS scores it 8.4 (High) due to scope change and high confidentiality/integrity impact, the vector indicates local-only access with low privileges already required.
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code within pre-installed apps via an out-of-bounds write (CWE-787). The CVSS 8.8 vector reflects network-reachable exploitation with low complexity and no user interaction once minimal privileges are obtained, yielding high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Heap-use-after-free in Magick.NET's MSL (Magick Scripting Language) decoder causes a denial-of-service condition when processing a crafted MSL image file. All Magick.NET NuGet package variants across Q16, Q16-HDRI, and multi-architecture builds prior to version 14.13.1 are affected. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis; the CVSS vector indicates local-only access with availability-only impact, classifying this as a crasher rather than a code execution or data exposure issue.
Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.
Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.
Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.
Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. VulnCheck reported this issue and vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the vulnerability.
Heap buffer overflow in Imager for Perl versions through 1.030 allows remote attackers to corrupt memory and potentially read limited data via specially crafted multi-frame GIF files. The vulnerability stems from missing bounds validation in the skip-image code path of i_readgif_multi_low(), which reuses a fixed-size buffer allocated for the GIF's global screen width without checking if subsequent image frames exceed these dimensions. Vendor-released patch available in version 1.031. CVSS 6.5 indicates network-accessible exploitation requiring no authentication or user interaction, though the impact is limited to low confidentiality/integrity with no availability disruption. No public exploit identified at time of analysis.
Heap buffer overflow in Imager::File::GIF (Perl image processing library) versions through 1.002 allows local attackers to corrupt memory via specially crafted multi-frame GIF files. The vulnerability stems from missing boundary validation in the skip-image code path, which writes image data beyond allocated buffer boundaries when processing malformed GIF frames. With EPSS score at 0.02% (5th percentile) and no evidence of active exploitation, this represents a low-probability supply chain risk for Perl applications processing untrusted GIF files. Patch released in version 1.003.
Out-of-bounds write in Huawei HarmonyOS and EMUI distributed file system module allows authenticated local attackers to corrupt memory, potentially affecting system availability and integrity. CVSS 6.8 reflects adjacent network access requirement and low attack complexity, but exploitation requires prior authentication and local network presence. No public exploit code or active exploitation confirmed at time of analysis.
Out-of-bounds read and buffer overflow in the Linux kernel's ksmbd SMB server allows authenticated remote attackers to corrupt memory or read past allocated buffers by sending a malformed inheritable ACE with an inflated num_subauth value. The flaw resides in smb_inherit_dacl() and smb_set_ace(), where the variable-length SID is not bounds-checked during DACL inheritance, enabling heap corruption with potential for remote code execution against any SMB server using ksmbd. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the vendor patch is available across multiple stable branches.
Buffer overflow in AMD GPU driver IOCTL handler enables local privilege escalation to root on Linux systems running AMD Instinct or Radeon Pro GPUs. Authenticated local users with low privileges can exploit an out-of-bounds write vulnerability in the AMDGV_CMD_GET_DIAG_DATA IOCTL to achieve arbitrary kernel code execution. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.5 severity.
Local privilege escalation in AMD Platform Management Framework (PMF) allows authenticated attackers with low privileges to execute arbitrary code with elevated system privileges through an out-of-bounds write vulnerability. Affects multiple AMD Ryzen processor series (6000, 7035, 7040, 8040, and Embedded R8000) across mobile and embedded platforms. The CVSS 4.0 score of 8.4 reflects high impact to system integrity and availability with changed scope, indicating the attacker can escape the vulnerable component's security context. No active exploitation confirmed in CISA KEV at time of analysis, and public exploit code availability is not indicated in current intelligence.
Out-of-bounds write in the AMD Platform Management Framework (PMF) Driver enables local authenticated users to escalate privileges on AMD Ryzen 6000/7000/8000 series processors. The vulnerability stems from improper input validation (CWE-787) allowing memory corruption beyond allocated buffer boundaries. Exploitation requires low-privilege local access with low attack complexity (CVSS 4.0: AV:L/AC:L/PR:L), making this a realistic post-compromise escalation vector. AMD released chipset driver version 7.06.02.123 addressing all affected Ryzen series. No public exploit or active exploitation confirmed at time of analysis.
Out-of-bounds read/write in AMD Platform Management Framework (PMF) driver allows local authenticated users to escalate privileges on Ryzen 6000/7000/8000 series processors. AMD has released patched chipset software version 7.06.02.123 addressing the improper input validation vulnerability. No public exploit code identified and CISA has not added this to KEV, indicating exploitation is not yet confirmed in real-world attacks despite the high CVSS score. Attackers must already have local system access with standard user privileges to exploit this vulnerability.
Use-After-Free vulnerability in the AMD Secure Processor (ASP) PCI driver affects multiple Ryzen, Threadripper, EPYC, and Athlon processor families due to improper input validation. A local attacker with user-level privileges can trigger the UAF condition, resulting in denial of service via platform crash or potential loss of platform integrity. Vendor-released patch: AMD Ryzen Chipset Driver 7.02.13.148 (or equivalent Catalyst driver versions for embedded SKUs). No public exploit identified at time of analysis.
Local privilege escalation and memory corruption in the Linux kernel's atmel-sha204a crypto driver allows an attacker who can remove or unbind the device to trigger a use-after-free during the driver teardown path. The flaw stems from failing to unregister the hwrng and flush the Atmel I2C workqueue before teardown, letting a queued ->read() callback execute against freed state, and an early return that also leaks the hwrng.priv allocation. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, so this is a defense-in-depth hardening fix rather than an urgent emergency.
Out-of-bounds read in the Linux kernel md/raid5 journal recovery path allows a local privileged user supplying a corrupted MD RAID5 journal device to trigger memory disclosure or kernel crashes during journal replay. The flaw exists in r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb(), which trusted on-disk payload size fields without validating them against the metadata block's remaining space. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (5th percentile).
Use-after-free in the Linux kernel's mwifiex Wi-Fi driver (Marvell) occurs during adapter teardown: mwifiex_adapter_cleanup() calls the non-synchronous timer_delete() on the wakeup_timer, so a still-running wakeup_timer_fn callback can dereference adapter fields (hw_status, if_ops.card_reset) after mwifiex_free_adapter() frees them along the card-removal path. A local attacker who can trigger device removal while the timer fires could corrupt freed kernel memory, enabling privilege escalation or denial of service. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%, 5th percentile), and the fix (timer_delete_sync()) is merged into stable releases.
Improper memory deallocation in the Linux kernel's NX-842 hardware compression crypto driver (nx842_crypto_alloc_ctx/free_ctx) causes bounce buffers allocated as order-2 (4 pages) to be released with single-page free_page() calls, leaking three of every four pages. The flaw is local-only with no public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects negligible mass-exploitation interest. Note that the NVD CVSS (7.8, C:H/I:H/A:H) appears overstated for what the upstream commit explicitly describes as a memory leak rather than corruption.
Use-after-free in the Linux kernel Bluetooth subsystem (hci_event) allows an adjacent attacker within Bluetooth range to potentially achieve memory corruption against vulnerable hosts during SSP pairing. The flaw stems from missing hdev locking in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), where an hci_conn structure can be freed concurrently while still in use. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%).
Use-after-free in the Linux kernel's QRTR (Qualcomm IPC Router) name service driver remove path allows local low-privileged users to corrupt memory and potentially escalate privileges. The flaw occurs because qrtr_ns_data_ready() can queue work to a workqueue that has already been destroyed during driver teardown, dereferencing freed memory. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the fix has landed across multiple stable kernel trees.
Data corruption in the Linux kernel md-llbitmap RAID subsystem allows stale bitmap pages to be read from spare disks during rebuild. The md-llbitmap code iterated rdevs checking only raid_disk assignment and the Faulty flag, omitting the In_sync flag, so bitmap data could be sourced from a not-yet-synchronized spare. No public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%), but the bug can silently corrupt arrays during normal operation or recovery.
Local privilege escalation in the Linux kernel's vfio/cdx (Composable DMA-capable eXtension) driver allows a process with access to a VFIO device file descriptor to trigger a use-after-free of the cdx_irqs array via concurrent VFIO_DEVICE_SET_IRQS ioctls. The race in vfio_cdx_set_msi_trigger() can be exploited by a local low-privileged attacker for memory corruption with high confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 5th percentile).
Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.
Local privilege escalation potential in the Linux kernel's Nouveau DRM driver stems from a 32-bit integer overflow in the pushbuf relocation bounds check (nouveau_gem_pushbuf_reloc_apply). Authenticated local users with access to the Nouveau GPU device node can bypass the size validation and trigger out-of-bounds writes against the buffer object, leading to high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but a vendor patch is available across multiple stable kernel branches.
Use-after-free in the Linux kernel ALSA caiaq USB audio driver allows local code execution when the device probe path encounters an error during setup_card(). The setup_card() function previously ignored failures from snd_card_register() and continued executing, leaving freed card structures accessible to subsequent initialization calls such as snd_usb_caiaq_control_init(). No public exploit identified at time of analysis, and EPSS is low at 0.02% (5th percentile), consistent with the local attack vector and narrow hardware-driver scope.
Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's rxrpc (AF_RXRPC) networking subsystem allows local attackers with low privileges to trigger memory corruption when skb_unshare() fails during packet input handling. Affected Linux kernel versions from 6.2 up to the fixed releases can be exploited to cause a NULL-pointer oops and potentially escalate privileges or crash the system. No public exploit identified at time of analysis; EPSS is very low (0.02%) and the issue is not present in CISA KEV.
Use-after-free in the Linux kernel's i.MX SPI driver (spi-imx) can be triggered when the driver is unbound, allowing a local privileged user to corrupt kernel memory and potentially escalate to full kernel code execution. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a kernel-level UAF with high CIA impact warrants prompt patching on affected i.MX-based systems.
Use-after-free in the Linux kernel's io_uring zero-copy receive (zcrx) subsystem allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from io_free_rbuf_ring() accessing a struct user_struct after io_zcrx_ifq_free() has already released the reference, creating a UAF window. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but the bug class (UAF in io_uring) has historically been weaponized for LPE.
Heap out-of-bounds write in the Linux kernel UDF filesystem driver allows a local attacker to corrupt kernel memory by mounting a crafted UDF image containing repeated partition descriptors. The flaw stems from incorrect bookkeeping in handle_partition_descriptor() where appended slots never record partnum, causing duplicate descriptors to overflow the part_descs_loc[] table. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at only 0.02%.
Use-after-free in the Linux kernel's Open Firmware (OF) device tree unittest driver (testdrv_probe) allows local low-privileged attackers to corrupt memory and potentially escalate privileges. The flaw stems from an erroneous of_node_put() call that releases a device_node reference owned by the device model, which can then be dereferenced later in of_platform_default_populate(). EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available.
Local privilege escalation potential in the Linux kernel's GFS2 filesystem stems from a use-after-free in the inline data write path of gfs2_iomap_begin(), where the inode buffer head is released before iomap->inline_data is consumed by iomap_write_end_inline(). Local users with the ability to write to a GFS2-backed filesystem can trigger memory corruption via a freed page that kswapd has since reclaimed. No public exploit identified at time of analysis, EPSS probability is very low (0.02%), and the issue is not listed in CISA KEV, but vendor patches across multiple stable trees are available.
Local privilege escalation and denial of service in the Linux kernel's AMD XDNA (amdxdna) accelerator driver allows authenticated local users to trigger a use-after-free condition by submitting jobs to a hardware context concurrently with resource release. The flaw affects kernels in the 6.14.9 through 6.15 series and was resolved upstream by stopping job scheduling around aie2_release_resource() and validating context state in aie2_sched_job_run(). No public exploit identified at time of analysis, and EPSS scoring (0.02%) indicates negligible near-term exploitation probability.
Use-after-free and double-free conditions in the Linux kernel's SMB client (smb2_open_file) can be triggered when SMB2_open() retry paths fail to zero out err_iov and err_buftype buffers, leading to memory corruption. The flaw affects multiple stable kernel branches (6.1, 6.6, 6.12, 6.18) and is fixed in upstream patches; no public exploit identified at time of analysis and EPSS is very low (0.02%) despite the 9.8 CVSS score.
Use-after-free in the Linux kernel bonding driver's Adaptive Load Balancing (ALB) subsystem allows a local low-privileged user to crash the kernel by racing rlb_arp_recv() against rlb_deinitialize() during rapid bond interface up/down cycling. Specifically, the RX handler continues to dereference rx_hashtbl entries after rlb_deinitialize() frees them, because recv_probe is set to NULL without first draining in-flight softirq handlers via synchronize_net(). Systems running bonded NICs in ALB mode (mode=6) on affected kernel versions - including Dell PowerEdge hardware and Canonical-distributed kernels - are at risk of kernel panic. No public exploit identified at time of analysis, and EPSS at 0.02% (7th percentile) confirms no observed mass exploitation.
Local privilege escalation and memory corruption in the Linux kernel's Exynos DRM VIDI (Virtual Display) driver allows local users with access to the DRM device to trigger null pointer dereferences, garbage value accesses, out-of-bounds reads, or use-after-free conditions via the vidi_connection_ioctl() handler. The flaw stems from an incorrect device-to-context lookup that retrieves driver_data from the exynos-drm master device instead of the VIDI component device. A vendor patch is available across multiple stable branches, no public exploit identified at time of analysis, and EPSS rates exploitation probability at only 0.02%.
Local privilege escalation in the Linux kernel's BPF subsystem stems from incorrect refcounting in check_pseudo_btf_id() that can leave a BTF (BPF Type Format) object with a zero refcount while still in use, creating a use-after-free condition. Affected kernels (around 6.14 through pre-patch 6.18.14/6.19.4) allow a local low-privileged user capable of loading BPF programs to corrupt kernel memory, with no public exploit identified at time of analysis and EPSS scoring exploitation likelihood at only 0.02%.
Use-after-free in the Linux kernel's ab8500 power supply driver (drivers/power/supply/ab8500) can be triggered during device removal or probe due to incorrect ordering of devm_-managed resource allocation. The race allows an IRQ handler to invoke power_supply_changed() against a freed or uninitialized power_supply handle, typically resulting in a kernel crash or silent memory corruption. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the flaw is not on CISA KEV.
Memory corruption in the Linux kernel's pm8916_lbc power-supply driver (Qualcomm PM8916 PMIC linear battery charger) stems from a use-after-free in power_supply_changed(), where devm-managed teardown ordering lets a charger interrupt fire against a freed or not-yet-initialized power_supply handle during driver probe or removal. Local attackers able to trigger device unbind/rebind or module load/unload can crash the system or silently corrupt kernel memory. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis; the issue is not in CISA KEV.
Use-after-free in the Linux kernel's goldfish power-supply driver (drivers/power/supply/goldfish_battery) allows a local attacker to crash the system or corrupt kernel memory by racing device probe/removal against the battery IRQ handler. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the still-live interrupt can fire and call power_supply_changed() on freed (or, during probe, uninitialized) memory. No public exploit identified at time of analysis; EPSS is negligible (0.02%) and the bug is not in CISA KEV.
Use-after-free in the Linux kernel's OpenVPN data channel offload (ovpn) module allows a local attacker with low privileges to potentially trigger memory corruption when transmitting shared sk_buff packets through ovpn_net_xmit. The flaw stems from continued use of a stale skb pointer after skb_share_check frees the original buffer, affecting peer lookup, skb_dst_drop, and TX statistics paths. No public exploit identified at time of analysis, and the EPSS probability is very low (0.02%), suggesting the bug is more of a stability and memory-safety concern than an imminently weaponized vector.
Local privilege-relevant memory corruption in the Linux kernel's sbs-battery power supply driver (drivers/power/supply/sbs-battery) stems from a use-after-free in power_supply_changed(). Because the driver requested its IRQ via devm_ before allocating/registering the power_supply handle, devm teardown frees the handle in reverse order while the interrupt is still live, so an SMBus battery interrupt firing during device removal (or before registration during probe) invokes power_supply_changed() on a freed or uninitialized pointer, typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile), no public exploit is identified, and it is not on CISA KEV; the fix is upstream-committed and shipped in multiple stable releases.
Local memory corruption affects the Linux kernel's hwmon ibmpex driver, where commit 6946c726c3f4 - intended to fix a use-after-free in the high/low sysfs store handlers - instead introduced a new race condition by setting driver data to NULL before removing sensor attributes. The remediation is a revert of that flawed commit across the 6.1, 6.6, 6.12, 6.18, and 6.19 stable trees. With EPSS at 0.02% (7th percentile), no public exploit identified at time of analysis, and no CISA KEV listing, real-world risk is minimal given the obscure IBM PowerExecutive sensor hardware the driver targets.
Use-after-free in the Linux kernel's pf1550 power-supply driver (drivers/power/supply/pf1550) lets a queued hardware interrupt invoke power_supply_changed() on an already-freed power_supply handle during module/device removal, and can also dereference an uninitialized handle during probe. The flaw stems from devm-managed resource ordering: the IRQ was requested before the power_supply was registered, so devm teardown frees the power_supply first. Impact is typically a kernel crash or silent memory corruption. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis.
Local privilege-level use-after-free in the Linux kernel's bq256xx battery charger driver (power: supply: bq256xx) allows memory corruption when a charger IRQ fires during device probe or removal, calling power_supply_changed() against a freed or uninitialized power_supply handle. The flaw stems from devm_ resources being released in reverse order, so the IRQ outlives the power_supply registration; triggering it typically crashes the system or silently corrupts kernel memory. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 7th percentile), with no CISA KEV listing.
Local privilege-impacting memory corruption in the Linux kernel's cpcap-battery power supply driver allows a use-after-free in power_supply_changed() triggered during device probe or removal. The driver requested its IRQ via devm_ before registering the power_supply handle, so on teardown the handle is freed while the interrupt handler can still fire, dereferencing freed memory and typically crashing the system or silently corrupting memory. EPSS is negligible (0.02%, 7th percentile) and there is no public exploit identified at time of analysis; the issue is confined to Motorola CPCAP PMIC hardware (e.g. Droid 4) rather than general-purpose servers.
Use-after-free in the Linux kernel's pm8916_bms_vm power-supply driver (for Qualcomm PM8916 battery monitoring on certain Snapdragon SoCs) lets a freed power_supply handle be dereferenced when an IRQ fires during device removal or probe, corrupting kernel memory or crashing the system. The flaw stems from devm-managed IRQ registration occurring before the power_supply handle was registered, so devm's reverse-order teardown frees the handle while the interrupt is still live. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; impact is realistically a local denial of service on the narrow set of devices using this driver.
Local privilege-level use-after-free in the Linux kernel's bq25980 battery charger power-supply driver (drivers/power/supply/bq25980.c) allows a triggered IRQ to call power_supply_changed() on a freed or uninitialized power_supply handle, typically crashing the system or corrupting memory. The flaw stems from devm-managed IRQ registration ordering relative to power_supply registration, creating a race during driver probe and removal. EPSS is negligible (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV; the fix is committed upstream and shipped in multiple stable kernels.
Local privilege escalation potential via a use-after-free in the Linux kernel's act8945a power supply driver, where the ACT8945A PMIC IRQ is requested before the power_supply handle is registered (and torn down after it during removal), letting an interrupt invoke power_supply_changed() on a freed or uninitialized handle. Affected systems run vulnerable Linux kernel builds (pre-6.6.128, pre-6.12.75, pre-6.1.165, pre-5.15.202, pre-5.10.252, and others) with the act8945a driver bound to real Atmel/Microchip SAMA5-class hardware. There is no public exploit identified at time of analysis; EPSS is very low (0.02%, 7th percentile) and the flaw is not in CISA KEV.
Local privilege-bounded use-after-free in the Linux kernel's CAIF serial line discipline (caif_serial / CONFIG_CAIF_TTY) lets a local attacker corrupt kernel memory by racing ldisc_close() against packet transmission. ldisc_close() drops the tty reference via tty_kref_put() while the CAIF network device is still live, so a concurrent caif_xmit()/handle_tx() can dereference the freed tty (ser->tty) and call tty->ops->write() on dangling memory, confirmed by a KASAN slab-use-after-free report. A reproducer is published, but no public weaponized exploit and no active exploitation are recorded; EPSS is 0.02% (7th percentile), consistent with a niche driver and a tight race window.
Local privilege escalation potential in the Linux kernel's GFS2 (Global File System 2) filesystem stems from a slab-use-after-free in qd_put() that corrupts the quota data LRU list during filesystem shutdown. Local authenticated users with access to a GFS2 mount could trigger the shrinker path (gfs2_qd_shrink_scan) to dereference freed objects, with EPSS at 0.02% indicating no public exploit identified at time of analysis. The flaw was introduced by commit a475c5dd16e5 which began freeing quota data synchronously without removing entries from the LRU list first.
Memory corruption in the Linux kernel's AMD GPU driver (amdgpu) arises because amdgpu_gmc_get_nps_memranges() releases buffers allocated by amdgpu_discovery_get_nps_info() with kfree() even though that memory may have been allocated via kvcalloc()/vmalloc(), corrupting the kernel allocator state. The flaw affects systems running AMD GPUs on kernels prior to the fixed stable releases (6.12.75, 6.18.14, 6.19.4, and 7.0). There is no public exploit identified at time of analysis, EPSS risk is negligible (0.02%), and the issue was found via static analysis and code review rather than in-the-wild exploitation.
Local privilege-escalation-class memory corruption in the Linux kernel's BPF arena subsystem (introduced around 6.9) allows a process holding BPF capabilities to trigger a use-after-free. When a BPF arena VMA is inherited across fork(), arena_vm_open() bumps the mmap refcount but never registers the child VMA in arena->vma_list, leaving vml->vma pointing at the parent VMA; after the parent munmaps, a child call to bpf_arena_free_pages() dereferences the dangling pointer in zap_pages(). No public exploit or active exploitation is identified (EPSS 0.02%, 5th percentile), and vendor patches are available.
Out-of-bounds write in NVIDIA Virtual GPU Manager exposes virtualized GPU deployments to denial of service, data tampering, and information disclosure. A local, low-privileged attacker operating within a virtualized environment can trigger the memory corruption flaw in the host-side vGPU manager component across multiple affected driver branches (vGPU 16.x through 20.x). No public exploit code exists at time of analysis, and EPSS probability is at the 2nd percentile, but the high availability impact (A:H in CVSS) and the prevalence of vGPU in enterprise virtualization infrastructure warrant prompt patching.
Local privilege escalation and code execution in NVIDIA Virtual GPU Manager arises from a use-after-free on stack memory within the vGPU hypervisor component. Authenticated local attackers on the host or guest side of an affected vGPU deployment (vGPU branches 16.x through 20.x) can trigger memory corruption that may yield DoS, info disclosure, data tampering, or arbitrary code execution. No public exploit identified at time of analysis and EPSS is 0.01%, but SSVC rates technical impact as total.
Local privilege escalation in the NVIDIA Display Driver for Windows and Linux allows an authenticated low-privileged user to trigger an out-of-bounds write (CWE-787) in the kernel-mode driver, potentially leading to code execution, privilege escalation, information disclosure, data tampering, or denial of service. The flaw affects GeForce, RTX/Quadro/NVS, and Tesla product lines, with NVIDIA confirming the vulnerability and releasing patched driver versions. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.01%.
Local privilege escalation and code execution in the NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest/Manager components) stems from a use-after-free memory corruption flaw (CWE-416) that a local low-privileged user can trigger to compromise the kernel-level driver. The scope-changed CVSS 8.8 score reflects that successful exploitation crosses a trust boundary, potentially yielding code execution, privilege escalation, information disclosure, data tampering, or denial of service. EPSS is 0.01% (1st percentile) and there is no public exploit identified at time of analysis, but a vendor patch is available across all affected branches.
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Heap use-after-free write in libyang before 5.2.6 enables remote authenticated attackers to crash processes or potentially execute code by submitting crafted YANG XML documents to applications using the library for parsing. The flaw resides in lyd_parser_set_data_flags, which mishandles metadata list pointers when freeing non-head default metadata entries. No public exploit identified at time of analysis, EPSS is low at 0.03%, and SSVC rates technical impact as partial with no automatable exploitation.
Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
runAsNonRoot bypass in containerd allows crafted container images to execute as UID 0 despite Kubernetes security policies designed to prevent root execution. The flaw stems from containerd treating numeric USER directives that overflow a 32-bit integer as usernames, and if the image's /etc/passwd maps that string to root, the container runs as root. No public exploit identified at time of analysis, but the issue was responsibly disclosed by Lei Wang (@ssst0n3) and fixed in multiple containerd release branches.
Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.
Local privilege escalation and potential memory corruption in the Linux kernel's rtmutex (real-time mutex) subsystem stems from remove_waiter() incorrectly operating on the current task instead of waiter::task during proxy-lock rollback in futex_requeue() paths. Exploitation can leave a dangling pi_blocked_on pointer primed for a use-after-free, with CVSS 7.8 (AV:L/AC:L/PR:L/UI:N) reflecting local low-privileged access. EPSS is 0.02% (7th percentile) and no public exploit identified at time of analysis, but the UAF primitive is a known building block for kernel privilege escalation.
Local privilege-level data corruption in the Linux kernel's accel/ivpu driver (Intel VPU accelerator) allows authenticated local users to trigger incorrect device access and memory corruption by re-exporting imported GEM (Graphics Execution Manager) buffer objects via the DMA-BUF prime interface. The flaw stems from the missing validation that allowed buffer flag settings to be lost on re-export, and while CVSS rates it 7.8 High due to local high-impact effects, EPSS is only 0.02% and no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's udlfb (DisplayLink USB framebuffer) driver allows a local user with access to the framebuffer device to retain read/write access to freed kernel memory pages after a USB disconnect or framebuffer reallocation. The dlfb_ops_mmap() function maps vmalloc-backed framebuffer pages to userspace without installing vm_ops callbacks, so the kernel cannot track active mappings and vfree() is called on pages still referenced by user PTEs. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is not listed in CISA KEV.
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) element parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw, disclosed by Cisco Talos as TALOS-2026-2371 and assigned CWE-823, requires user interaction and local file access but no privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 stems from a missing o_len bounds check in the pull_charset_flags() character-set conversion routine, enabling remote attackers with low privileges to corrupt memory and potentially compromise confidentiality, integrity, and availability of the AFP file server. The flaw is addressed in Netatalk 4.4.3, and no public exploit has been identified at time of analysis.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 affects the convert_charset() routine during null termination handling, exposing the AppleTalk/AFP server implementation to memory corruption. Authenticated remote attackers can trigger heap or stack corruption that threatens confidentiality, integrity, and availability of the host. No public exploit identified at time of analysis, and the vendor has shipped a corrective release in 4.4.3.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted HTML page that triggers a use-after-free in the DOM implementation. The flaw requires user interaction (visiting a malicious page) but no authentication, and while Chromium rates its security severity as Medium, the CVSS 3.1 base score of 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, enabling a remote attacker to run arbitrary code when a victim visits a crafted HTML page. Chromium rates the severity as High and the CVSS 3.1 score is 8.8, but exploitation requires user interaction (UI:R); no public exploit identified at time of analysis.
Remote code execution in Google Chrome on Windows prior to 148.0.7778.179 stems from a use-after-free flaw in the XR (WebXR) component, enabling a remote attacker to run arbitrary code in the renderer process by enticing a user to visit a crafted HTML page. Chromium rates the issue High severity and CVSS scores it 8.8; no public exploit identified at time of analysis and SSVC reports exploitation status as none. A vendor patch is available via the Stable Channel update referenced in the Chrome Releases advisory.
Sandbox escape in Google Chrome (Linux and ChromeOS) prior to 148.0.7778.179 allows a remote attacker who has already compromised the renderer process to break out via a crafted video file processed by the GFX component. The flaw is a type confusion (CWE-843) rated High severity by Chromium, with no public exploit identified at time of analysis and SSVC indicating exploitation has not been observed. It requires user interaction and chained exploitation of a prior renderer compromise, which raises the bar despite the High CVSS of 7.5.
Remote code execution in Google Chrome versions prior to 148.0.7778.179 stems from a use-after-free condition in the QUIC networking stack, allowing remote attackers to execute arbitrary code within the browser sandbox via malicious network traffic. Exploitation requires user interaction (visiting a malicious site or processing attacker-controlled QUIC traffic), and no public exploit has been identified at time of analysis. Chromium rates this as High severity, and a vendor patch is available.
Remote code execution in Google Chrome on Windows prior to version 148.0.7778.179 stems from a use-after-free condition in the GPU component, enabling a remote attacker to run arbitrary code within the renderer sandbox after the victim loads a crafted HTML page. Google has rated the issue High severity and shipped a fix; no public exploit identified at time of analysis and SSVC indicates exploitation status 'none' despite total technical impact.
Remote code execution in Google Chrome on Linux before 148.0.7778.179 stems from a use-after-free flaw in the WebRTC component, allowing a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code in the renderer process. Chromium rates the severity as Critical and a vendor patch is available, though there is no public exploit identified at time of analysis and SSVC indicates no observed exploitation. The CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability with required user interaction (visiting a page).
Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Memory corruption in ISC BIND 9's DNS-over-HTTPS (DoH) implementation lets remote attackers trigger a use-after-free (CWE-416) by interacting with the DoH endpoint, affecting BIND 9.20.0-9.20.22, 9.21.0-9.21.21, and the 9.20.9-S1-9.20.22-S1 subscription builds; the older 9.18.x branch is explicitly not affected. The vendor scores it CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), implying unauthenticated remote impact, though CISA's SSVC rates technical impact as only 'partial' and exploitation as 'none'. There is no public exploit identified at time of analysis and EPSS is very low (0.02%, 7th percentile), indicating no observed exploitation activity.
Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an attacker controlling a DNSSEC-signed domain to crash the resolver process with a single crafted query. The DNSSEC validator uses an incorrect counter when computing write offsets for ADDITIONAL section rrsets while building chase-reply messages, leaving an uninitialized pointer that is later dereferenced. No public exploit identified at time of analysis, and the issue is fixed in Unbound 1.25.1.
Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attackers to crash the daemon or potentially achieve arbitrary code execution by serving a malicious signed zone to a vulnerable resolver. The flaw stems from a struct-assignment bug during deep copying of response messages when DS sub-queries suspend validation under NSEC3 computational budget exhaustion. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.1 with network attack vector and no required privileges or user interaction makes this a high-priority patching target for any operator running a recursive Unbound resolver.
Heap buffer overflow write in libheif (versions ≤ 1.21.2) lets a crafted HEIF/AVIF file write 64 bytes of attacker-controlled data past a chroma-plane heap allocation during grid tile compositing. Any application using libheif to decode untrusted images - image viewers, file managers, browsers, mobile OS thumbnailers - is exposed, with CVSS 8.8 reflecting likely code execution after user-triggered file open. No public exploit identified at time of analysis, but the deterministic 64-byte fully-controlled overflow is highly favorable for exploitation.
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Out-of-bounds write in Samsung's Escargot lightweight JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows attackers to corrupt memory by inducing buffer overflows through crafted JavaScript. Exploitation requires local execution of attacker-supplied script content with user interaction, but successful triggering yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Use-after-free memory corruption in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) enables pointer manipulation when processing crafted JavaScript content, with CVSS 7.8 reflecting high-impact local exploitation requiring user interaction. The affected codepaths include evaluator error handling, TypedArray copyWithin operations on resizable buffers, DataView coercion, and array fast-mode transitions - all triggerable by attacker-controlled script. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Use-After-Free memory corruption in OpenHarmony v6.0 and prior enables a local attacker with low privileges to execute arbitrary code, achieving a changed scope with high availability impact. The vulnerability is rooted in CWE-416, where freed memory regions are accessed without proper lifecycle management, a class of flaw frequently exploitable for control-flow hijacking. No public exploit code or CISA KEV listing has been identified at time of analysis, though the OpenHarmony security team has published a formal disclosure.
Out-of-bounds write in OpenHarmony v6.0 and earlier enables a local low-privileged attacker to corrupt memory and trigger an unrecoverable denial-of-service condition on affected devices. The flaw was disclosed by the OpenHarmony project itself, and no public exploit identified at time of analysis. Although CVSS scores it 8.4 (High) due to scope change and high confidentiality/integrity impact, the vector indicates local-only access with low privileges already required.
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code within pre-installed apps via an out-of-bounds write (CWE-787). The CVSS 8.8 vector reflects network-reachable exploitation with low complexity and no user interaction once minimal privileges are obtained, yielding high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Heap-use-after-free in Magick.NET's MSL (Magick Scripting Language) decoder causes a denial-of-service condition when processing a crafted MSL image file. All Magick.NET NuGet package variants across Q16, Q16-HDRI, and multi-architecture builds prior to version 14.13.1 are affected. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis; the CVSS vector indicates local-only access with availability-only impact, classifying this as a crasher rather than a code execution or data exposure issue.
Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.
Use-after-free vulnerability in Open5GS NRF component (versions up to 2.7.7) allows authenticated remote attackers to trigger denial of service via the discover_handler function in nghttp2-server.c. Publicly available exploit code exists (GitHub issue #4476), but vendor has not responded to early disclosure. EPSS data not available; CVSS 4.3 (Medium) reflects limited scope (DoS only, authenticated access required). Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC.
Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.
Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. VulnCheck reported this issue and vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the vulnerability.
Heap buffer overflow in Imager for Perl versions through 1.030 allows remote attackers to corrupt memory and potentially read limited data via specially crafted multi-frame GIF files. The vulnerability stems from missing bounds validation in the skip-image code path of i_readgif_multi_low(), which reuses a fixed-size buffer allocated for the GIF's global screen width without checking if subsequent image frames exceed these dimensions. Vendor-released patch available in version 1.031. CVSS 6.5 indicates network-accessible exploitation requiring no authentication or user interaction, though the impact is limited to low confidentiality/integrity with no availability disruption. No public exploit identified at time of analysis.
Heap buffer overflow in Imager::File::GIF (Perl image processing library) versions through 1.002 allows local attackers to corrupt memory via specially crafted multi-frame GIF files. The vulnerability stems from missing boundary validation in the skip-image code path, which writes image data beyond allocated buffer boundaries when processing malformed GIF frames. With EPSS score at 0.02% (5th percentile) and no evidence of active exploitation, this represents a low-probability supply chain risk for Perl applications processing untrusted GIF files. Patch released in version 1.003.
Out-of-bounds write in Huawei HarmonyOS and EMUI distributed file system module allows authenticated local attackers to corrupt memory, potentially affecting system availability and integrity. CVSS 6.8 reflects adjacent network access requirement and low attack complexity, but exploitation requires prior authentication and local network presence. No public exploit code or active exploitation confirmed at time of analysis.
Out-of-bounds read and buffer overflow in the Linux kernel's ksmbd SMB server allows authenticated remote attackers to corrupt memory or read past allocated buffers by sending a malformed inheritable ACE with an inflated num_subauth value. The flaw resides in smb_inherit_dacl() and smb_set_ace(), where the variable-length SID is not bounds-checked during DACL inheritance, enabling heap corruption with potential for remote code execution against any SMB server using ksmbd. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the vendor patch is available across multiple stable branches.
Buffer overflow in AMD GPU driver IOCTL handler enables local privilege escalation to root on Linux systems running AMD Instinct or Radeon Pro GPUs. Authenticated local users with low privileges can exploit an out-of-bounds write vulnerability in the AMDGV_CMD_GET_DIAG_DATA IOCTL to achieve arbitrary kernel code execution. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.5 severity.
Local privilege escalation in AMD Platform Management Framework (PMF) allows authenticated attackers with low privileges to execute arbitrary code with elevated system privileges through an out-of-bounds write vulnerability. Affects multiple AMD Ryzen processor series (6000, 7035, 7040, 8040, and Embedded R8000) across mobile and embedded platforms. The CVSS 4.0 score of 8.4 reflects high impact to system integrity and availability with changed scope, indicating the attacker can escape the vulnerable component's security context. No active exploitation confirmed in CISA KEV at time of analysis, and public exploit code availability is not indicated in current intelligence.
Out-of-bounds write in the AMD Platform Management Framework (PMF) Driver enables local authenticated users to escalate privileges on AMD Ryzen 6000/7000/8000 series processors. The vulnerability stems from improper input validation (CWE-787) allowing memory corruption beyond allocated buffer boundaries. Exploitation requires low-privilege local access with low attack complexity (CVSS 4.0: AV:L/AC:L/PR:L), making this a realistic post-compromise escalation vector. AMD released chipset driver version 7.06.02.123 addressing all affected Ryzen series. No public exploit or active exploitation confirmed at time of analysis.
Out-of-bounds read/write in AMD Platform Management Framework (PMF) driver allows local authenticated users to escalate privileges on Ryzen 6000/7000/8000 series processors. AMD has released patched chipset software version 7.06.02.123 addressing the improper input validation vulnerability. No public exploit code identified and CISA has not added this to KEV, indicating exploitation is not yet confirmed in real-world attacks despite the high CVSS score. Attackers must already have local system access with standard user privileges to exploit this vulnerability.
Use-After-Free vulnerability in the AMD Secure Processor (ASP) PCI driver affects multiple Ryzen, Threadripper, EPYC, and Athlon processor families due to improper input validation. A local attacker with user-level privileges can trigger the UAF condition, resulting in denial of service via platform crash or potential loss of platform integrity. Vendor-released patch: AMD Ryzen Chipset Driver 7.02.13.148 (or equivalent Catalyst driver versions for embedded SKUs). No public exploit identified at time of analysis.